critical

SSL Handshake Failed

SSL/TLS handshake between client and server failed to complete.

Common Causes

  1. 1Invalid or corrupt server certificate
  2. 2No common cipher suites
  3. 3Only legacy TLS versions enabled
  4. 4SNI misrouting presents the wrong certificate
  5. 5Server unexpectedly requires client certificates (mTLS)
  6. 6Firewall interference
  7. 7Key/certificate mismatch

How to Fix

Verify certificate and key match

openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5

Both commands should output the same hash. If not, they're mismatched.

Inspect where the handshake stops

openssl s_client -connect example.com:443 -servername example.com

Read the output: a protocol alert means version/cipher config, a non-zero verify code means the certificate or chain, and the wrong certificate appearing means SNI routing.

How ObserveOne Helps

ObserveOne performs a fresh TLS handshake from outside on every scheduled check, so the first failed handshake becomes an alert rather than a trend in your bounce rate.

Start Monitoring Free

Related Errors